add security context to driver pods

IBM · Dec 3, 2020 · 07dabe4 · 07dabe4
1 parent 4a13e37
commit 07dabe4
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/pkg/controller/ibmblockcsi/syncer/csi_controller.go b/pkg/controller/ibmblockcsi/syncer/csi_controller.go
@@ -101,8 +101,9 @@ func (s *csiControllerSyncer) ensurePodSpec() corev1.PodSpec {
 		Containers: s.ensureContainersSpec(),
 		Volumes:    s.ensureVolumes(),
 		SecurityContext: &corev1.PodSecurityContext{
-			FSGroup:   &fsGroup,
-			RunAsUser: &fsGroup,
+			RunAsUser:    &fsGroup,
+			RunAsNonRoot: boolptr.True(),
+			FSGroup:      &fsGroup,
 		},
 		Affinity:           s.driver.Spec.Controller.Affinity,
 		Tolerations:        s.driver.Spec.Controller.Tolerations,

diff --git a/pkg/controller/ibmblockcsi/syncer/csi_node.go b/pkg/controller/ibmblockcsi/syncer/csi_node.go
@@ -99,6 +99,7 @@ func (s *csiNodeSyncer) ensurePodSpec() corev1.PodSpec {
 		HostIPC:            true,
 		HostNetwork: 		true,
 		ServiceAccountName: config.GetNameForResource(config.CSINodeServiceAccount, s.driver.Name),
+		SecurityContext:    &corev1.PodSecurityContext{RunAsNonRoot: boolptr.True()},
 		Affinity:           s.driver.Spec.Node.Affinity,
 		Tolerations:        s.driver.Spec.Node.Tolerations,
 	}